VoIP Captures

VoIP calls, using the network protocols SIP/SDP and RTP, are the de-facto standard when it comes to voice calls. Wireshark offers some special features to analyze those calls and RTP streams – even with a nice “Play Streams” option, which discretely decodes your calls. Ouch. Again and again, frightening which privacy-related protocols are completely unencrypted on the Internet!

Here are some hints for Wireshark as well as a downloadable pcap with three calls in there. ;) Have fun!

I won’t explain any SIP/SDP/RTP details here. There is much information out there already. I basically want to share a pcap to play with, along with some Wireshark screenshots.

Download the pcap, 7zipped, 473 KB:

Open it with Wireshark and go to Telephony -> VoIP Calls to get this overview:

You can either have a look at the Flow Sequence:

Or you hit the “Play Streams” button to actually listen to the calls in the RTP Player. Wuh:

I have three VoIP calls in the pcap. Two g711A streams and one HD stream with g722.

Challenge: Who called me? ;D Answer in the comment section!

Another way to have a look at the RTP details is to open Telephony -> RTP -> RTP Streams, click the stream of interest, followed by “Find Reverse” and then Analyze:

This gives you details about the jitter, losses, etc.:

Of course, the great Wireshark dissectors work for all protocol details as well, e.g., the SIP packet details: